How to decode IP within USB datastream? Scenario: Cradlepoint MBR900 switch/router with USB port, with Verizon 3G data dongle providing Wireless data network access. I want to see the traffic between the MBR900 and the dongle. I suspect a USB TAP/Splitter will be needed so the Tx/Rx is split to the RX of two separate USB ports on my capture host. Then the two received streams will need to be merged into a single capture file. Then is it possible to decode USB as the underlying protocol like Ethernet is decoded, with IP on top of that? Possible? I've not found a method yet, and my search-fu seems to be lacking today... asked 09 Dec '14, 09:52  intermediate... |
3 Answers:
Hi, it's possible to capture USB packet with usbmon (on Linux) or USPpcap (on Windows). Then depending on the USB dongle enumeration (will it be CDC-ECM, NCM, MBIM?) Wireshark 1.12.2 might be able to decode decode the encapsulated Ethernet / IP packets. Note that so as to get the best USB dissection as possible, it is highly recommended to plug the dongle after starting usbmon / USBPcap so that USB enumeration is part of the capture (this way Wireshark knows which endpoint corresponds to what). answered 09 Dec '14, 10:04  Pascal Quantin edited 09 Dec '14, 10:12 (09 Dec '14, 10:24) cmaynard ♦♦ |
If you don't have login access to the Cradlepoint, then you may need to purchase a USB analyzer. There are several products available. The following short list is just a small sample of some of them and not meant to be an endorsement of any particular vendor or product: A related question: https://ask.wireshark.org/questions/28310/hardware-for-capture-usb-data-packet answered 09 Dec '14, 10:33  cmaynard ♦♦ I do have management access to the MBR900, but it's a pretty limited device. I'm attempting to determine if the MBR900 or Verizon is blocking non-passive FTP traffic (I think it's Verizon, actually). Thanks for the links, I'll check them out. (09 Dec '14, 11:47) intermediate... |
Hi I don't think you need USB Analyzer. All you need is openwrt distro loaded onto your router and you'll be able to run tcpdump and extract IP data straight out of the box. Regards m answered 10 Dec '14, 09:02  izopizo OpenWRT would maybe an option if CRADLEPOINT were supported. (10 Dec '14, 09:25) intermediate... |
For those unfamiliar with the CradlePoint MBR900, it's a Wi-Fi router that can either take an Ethernet cable to a cable modem/DSL modem/fibre whatever or a mobile-phone-network adapter plugged into a USB port as its Internet connection.